Skip to content

Commit 8a07b1e

Browse files
kwentclaude
andauthored
Add OIDC publish workflow for npm provenance (#7)
* 🚀 ci: add OIDC publish workflow for npm provenance Enables npm publish with OIDC provenance on GitHub release. Uses id-token:write permission and --provenance flag for supply chain security. Modeled after rootly-ts publish workflow. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * 🔒️ fix: remove NPM_TOKEN in favor of OIDC trusted publishers No secret needed — npm auth handled entirely via OIDC id-token. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * 🔧 chore: remove registry-url to allow OIDC auto-detection setup-node's registry-url writes .npmrc with empty NODE_AUTH_TOKEN, which blocks npm's OIDC trusted publisher auto-detection. Removing it lets npm CLI use OIDC directly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * 🔧 chore: install latest npm for OIDC trusted publisher support Ensures npm CLI version supports OIDC auto-detection for provenance publishing without explicit token configuration. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * 🔧 chore: add Dependabot config for npm and GitHub Actions Weekly dependency updates on Wednesdays for both npm packages and GitHub Actions, with minor/patch grouping. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
1 parent f948e3b commit 8a07b1e

2 files changed

Lines changed: 59 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: "npm"
4+
directory: "/"
5+
schedule:
6+
interval: "weekly"
7+
day: "wednesday"
8+
time: "06:00"
9+
assignees:
10+
- "kwent"
11+
labels:
12+
- "dependencies"
13+
open-pull-requests-limit: 20
14+
cooldown:
15+
default-days: 3
16+
semver-major-days: 7
17+
groups:
18+
minor-and-patch:
19+
applies-to: version-updates
20+
update-types:
21+
- "minor"
22+
- "patch"
23+
patterns:
24+
- "*"
25+
26+
- package-ecosystem: "github-actions"
27+
directory: "/"
28+
schedule:
29+
interval: "weekly"
30+
day: "wednesday"
31+
time: "06:00"
32+
assignees:
33+
- "kwent"
34+
open-pull-requests-limit: 20
35+
cooldown:
36+
default-days: 3

.github/workflows/publish.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
name: Publish
2+
3+
on:
4+
release:
5+
types: [published]
6+
7+
jobs:
8+
publish:
9+
runs-on: ubuntu-latest
10+
timeout-minutes: 10
11+
permissions:
12+
contents: read
13+
id-token: write
14+
steps:
15+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
16+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
17+
with:
18+
node-version: 24
19+
- run: npm install -g npm@latest
20+
- run: corepack enable
21+
- run: yarn install --immutable
22+
- run: yarn build
23+
- run: npm publish --provenance --access public

0 commit comments

Comments
 (0)